May 20, 2009

Proactive Malware Scanning

I'll start with a short personal angle -

I have a friend that works as a freelance web site developer and webmaster. Once in a few weeks he gives me a call, telling me that one of the sites he manages seems to be serving malicious JavaScript code to its users. It appears to me that this problem is getting out of hand these days, sites are getting (silently) hacked into, and JavaScript code is injected and later on served to users.

From what I hear and read, more than 70% of the Malware today is being served or linked from legitimate web sites.

Take a look at this article from InformationWeek, which was posted in January 2009:

Seventy percent of the top 100 Web sites either hosted malicious content or contained a link designed to redirect site visitors to a malicious Web site during the second half of 2008

The common approach to Malware protection and Malware scanning today, puts the (security) responsibility on the end users (browser protections, A/V, etc.) or the organizations (content filtering gateways, A/V gateways) from which the end users browse the web from.

I think that web site owners should start taking responsibility for the contents they are serving to users, and a simple way to do that, is to constantly monitor or scan your own web application for malicious contents.

About two years ago, I had an interesting thought - if you are already scanning your web application with an automated scanner, that has the capability to perform deep crawling and analysis (using automatic form filling, JavaScript and Flash execution, etc.), why not attempt to locate malicious code that is being served to your web users?!

BTW, malicious code can end up in your application in different ways such as -

Someone hacked into your application and put it there

You are including web contents (or application code) from a 3rd party. This is oftentimes the case in Web 2.0 scenarios

You pissed off one of your web developers, and they decided to get back at you by infecting your users with Malware

Enter Malware Scanner AppScan eXtension

The Malware Scanner AppScan eXtension helps you verify that your application is not hosting or linking to malware. The extension couples the deep-scanning capabilities of IBM Rational AppScan with ISS X-Force technology that is used to identify malicious content and links.

The Malware Scanner checks these conditions:

Files hosted on your application are malicious or not

Files that are "one click" away from your application are malicious or not

Links on your site lead to malicious domains (malware sites or phishing sites, for example)

Links on your site lead to unwanted content (illegal sites, hate sites, adult content, and so forth).

The Malware Scanner works in two phases:

It passes all of the visited links through the ISS Virus Prevention System (VPS) engine, to determine whether they are malicious or not. This is similar to browsing every page in your application, including clicking every button and downloading every file, using a machine with updated antivirus software.

It passes all of the links that lead to external domains through the ISS WebFilter SDK. This SDK then fetches the classification of each link (news site, porn site, malware site, illegal site, and so forth), based on the constantly updated online classification database. Links that are deemed malicious or unwanted are flagged for your attention.

When something needs to be brought to your attention, a security issue is created in Rational AppScan so that you can benefit from the strength of Rational AppScan results management capabilities, such as creating reports, saving and loading scans, and so forth.

You can read more about the Malware Scanner eXtension and download it from our eXtensions web site (you need to have AppScan installed to run it).

Comments

Does any of the data that gets passed through the ISS Virus Prevention System (VPS) engine and ISS WebFilter SDK have to leave the application? i.e. Is the VPS engine and WebFilter SDK contained within the AppScan Malware Scanner eXtension or is scan data handed off to an external website?

All the content AppScan sees gets passed to the VPS engine, which is a local module that analyzes it and reports on its findings - the data does not leave AppScan's process, let alone the computer.

All links are passed to the WebFilter SDK, which does query an online server for the categories this URL belongs to - so the URL itself it passed. That said, the URL is passed over SSL, there are no private details sent with it (it's anonymous), and it is not stored on the server.

Pages

Become a Fan

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM shall not be liable for any direct or indirect damages arising out of use of this Weblog.